Translate

Partners

This will be a basic guide to some common and basic hacking tools. This is intended mainly for those who have no prior knowledge of such and aren't sure where to begin. With some tweaking and common sense, you should be able to apply these to some of the missions on this site. I use the Firefox web browser(also known simply as FF) due to it's collection of add-ons, and will be referencing it throughout this tutorial. It doesnt mean that some of the things mentioned in here cant be done with other browsers, you just may need to find another way of doing it. I will suggest downloading Firefox as well as the following add-ons/tools:
Firefox:Click here for Firefox
Go here and search for the add-ons but don't limit yourself to just these:
https://addons.mozilla.org/en-US/firefox
Web Developer
Firebug
RefControl
Live HTTP headers
Tamperdata
user agent switcher
FoxyProxy

Viewing source code
To view the source code of the webpage, simply have your browser opened and place the mouse cursor somewhere on the page (but not over a picture) and right click the mouse, then choose 'view page source'. Another way to do this is to go to the tool bar at the upper left of the browser and click on 'View', then scroll down to 'Page Source', or you can use the Control key on the keyboard and the letter 'u', which would look like this: Ctrl+u
There are other ways as well, like if you've downloaded the suggested add-on 'Web Developer toolbar' and just click on 'view source'. Once you have the source code opened, look through it and see if anything stands out to you.
Web Developer toolbar:

You may see things like:
img src="images/img08.jpg"
What that's telling you is that one of the images on the web page is coming from a directory called 'images' and that the picture is named 'img08.jpg'. Let's add that to the address bar or 'url' and see what we get:
http://www.teamdream.netau.net/images/img08.jpg

You should be looking at an image now and no text. This is also letting us know that there is information in the /images directory so lets take off the ending of /img08.jpg and see what happens:
http://www.teamdream.netau.net/images

Interesting, eh? Not every directory or subdirectory is always viewable but it certainly doesn't hurt to look. Oh, and when you see something like this, usually in green, <!-- start header --> it's a way to add a comment in the source code without having it show up on the web page itself.
Moving on.....

Manipulating source code
Let's have a little fun and make some changes to the code. These changes will not effect the actual web site. View the source code of the page, then copy everything on it and paste it in a text editor like Notepad. Move down in the text editor about 35 lines or so until you come to (you can also hit Ctrl+f to search within the source code):
CODE :

<h1>Dream Sharing<br /></h1>
<p>Encouraging You to Dream</p>

Change the text in those 2 lines to something else:
CODE :

<h1>Ice cream!<br /></h1>
<p>Get your ice cream here!</p>

After making some changes, it's time to save the file. Go to 'file' then 'save as'. In the 'File name:' box save it as 'dream.html' <--notice we saved it a webpage extension? html=Hypertext Markup Language. Next, below the 'File name:' option is 'Save as type:' make sure you change that to 'All files', otherwise it will save as a text file and not html.

Next, find the saved file and double click on it. It should open in your browser with the ice cream comments on it. Don't be alarmed that the images didn't show up, remember they are in a different directory and you have actually saved this 'offline' and on your own computer.

Firebug
If you've downloaded firebug, it's even easier. You should see a little firebug at the bottom right of your browser so click on it.

If you don't, go to 'tools'-->firebug-->open firebug (or the shortcut which is the f12 button). Click on 'Edit'in firebug and you should now see the source to the page.

If you make the same changes now, you will see it happen instantly! Also, since you are at the actual webpage, the images and all will still be visible. Again, the changes aren't permanent.

Viewing cookies
With Web developer, click on 'cookies', then 'view cookie information'. Simple. From there it even gives you the option to edit the cookie. Firebug also has a cookie tab to view the information. Java script can also be used to view and edit cookies. To do so, clear everything out of your address bar then type:
CODE :

java script:alert(document.cookie)

then hit enter
*NOTE:there should be NO space in 'java script', it is ONE word so remove the space first. It is only there due to security measures in place by the article system.
You should now have a pop up box containing your cookie information. If you are doing this from the teamdreaminc web page you should see something like:
PHPSESSID=4bf1322f07104fc1587657852db8a712

Now let's change that with java script but instead of the alert command we will be using void:
CODE :

java script:void(document.cookie="PHPSESSID=12345")

Notice that everything in the quotes is what we want changed.
You can also use void and alert on the same line to make sure that the changes have taken place. They are seperated by a semi-colon, and this code will all be one line:
CODE :

You should now have an alert box with the new cookie information. Sometimes cookie information may contain things like userid=2 or authorized=false.....use your imagination here.

Java script can also be used to change information in the source code if it's vulnerable. Typically, brackets are used in the source code as such to begin <> and </> to end something. Note that when counting <form action></form> in source that the count starts with zero, the 2nd form action is counted as one and so on. Here is an example of a 'form action':
CODE :

The opening <> brackets contain form action information and then it's closed out with </form>. Let's say we want to change the value of 'Friend' to 'Sucker' and this was the only form action found so it will be numbered as '0' (zero):
CODE :

That will take the first form action, then change it's select value and finally, alert the change. If you use java script and nothing at all happens when hitting enter then there is probably an error in your syntax so check over it. Don't forget that you can also copy & paste the source code to a text editor, make the changes 'offline' and save it as a *.html, or easier, use firebug.
For more information on a wide variety of subjects such as java script,html,php,sql,etc visit:http://www.w3schools.com

Let's move over to http://www.hackthissite.org and if you've downloaded Live HTTP Headers for FF, go ahead and open it. You can go to 'tools', then find it in the menu. It should open in a new tab. Now click the hackthissite.org and log in. Once it's done loading, click the Live HTTP Headers tab and see what is displayed. You should see some valuable information such as your user-agent, referrer, GET or POST information, cookie information, Server, etc. You also have a few tabs inside of HTTP Headers so check them out as well. This is another way of collecting information.

Tamperdata
I enjoy using this little tool. Log out of hackthissite but stay at the login page. Now, go to 'tools' and find tamperdata and click on it. Once it opens up choose 'Start Tamper' from the menu. Now log in to hackthissite. You should get a pop up that says "Tamper with request?" If it's a pop up that says 'http://wpad/wpad.dat' or any Tamper request that is blank, just close it or choose 'Abort request'. The one we are after is 'http://www.hackthissite.org/user/login' when you get that popup, click on 'Tamper'.

You have now intercepted the POST login data on it's way to the server. You should see your login information on the right side of Tamper Data and on the left side, information about your user agent, referrer, cookie, etc.

The nice thing about Tamper Data is that you can change any of that information right here if you wanted to. This can come in very handy at times. It is sometimes even away to bypass certain security measures where user input is sanitized and can now be set back to it's original format.

RefControl
This is a tool to change your referrer(also spelled 'referer'). From 'tools' choose 'RefControl options'. Next click the tab 'Add Site'. Where it now says 'Site', enter the website that you want to spoof your referrer to. You only need to enter the main website and not all of the subdirectories so for instance if you wanted to spoof your referrer to hackthissite.org/pages/ you would only need to enter: http://www.hackthissite.org and the rest of the site will also be covered. Next choose the 'Custom' option and enter whatever you want as your spoofed referrer, example: http://ari.co.eu/

Why not check it and see if it worked? Try Live HTTP Headers or Tamperdata and see what it tells you.

User Agent Switcher
This one is just as simple as RefControl. From 'tools' choose 'Default User Agent' then 'Edit User Agents'. Where it says 'New' select 'New User Agent'. In the box titled Description you can name it whatever you'd like and then you can feel free to change the other options to your choosing. Just to test it though, clear out all of the boxes and in 'Description' put in: Custom then in User Agent: Custom
You can leave the rest blank. Go ahead and check it with the same options and see if it has changed.

FoxyProxy
This add-on tool for Firefox will let you change your ip address. Your ip address or 'internet protocol address' is kind of like a phone number. Although it isn't formatted like one, it is a series of numbers that are assigned to your computer so it can communicate back and forth with the internet. The information has to know where to go and so it follows a path to and from your ip address. If you go to the following link, it will give you your current ip address:Click for IP lookup
For some information about your internet service provider, click this link that's on the same page: IP owner info (Whois)
What if you wanted to spoof your ip address? Let's us FoxyProxy and give it a try. The first thing we are going to need is a list of proxies that we can use. There are a lot of sites that host these but for now we will use this one:Click for proxy list
That site will explain to you some things about proxy servers and anonymous surfing. After you've read it, click on one of the links where it says, "Go to see Proxy Lists!". Choose by proxy type, country, time, or IP. Note this though...not all of the proxies will work and they may not stay active for long so if at first one doesn't work, don't be discouraged just try a different one. For this let's choose 'Proxy list sorted by time' to get a fresh one. Here you will see lists like this:
'IP address'-------'Anonymity level'------'Checked time'-----'Country'
123.456.789.012:80 high-anonymous server 16 minutes ago China
Under the heading of 'IP address' you will see the ip is listed and at the end of it is the port it will be using. 123.456.798.012 is the ip address and in this case, 80 is the port. The ':' seperates them. ***I changed the ip address here so don't try to use my example, it won't work. Get one from the site and pick one that's anonymous.
Visit Proxy servers for explanations of the various types.
Now let's open FoxyProxy. Go to the bottom right corner of FF where you should see 'FoxyProxy:Disabled' Click on it and it should open. If you don't see that at the bottom right you can go to 'tools', then FoxyProxy and 'options'.

On the right side of the FoxyProxy Options popup, click 'Add New Proxy'.

You should now be in 'Proxy Settings' in the 'Proxy Details' tab. Next make sure that the 'Manual Proxy Configuration' circle is checked. Where it says 'Host or IP Address' enter the ip and then in port..you guessed it...enter the port number.

Next click the 'General' tab near the top left. In Proxy Name, enter whatever you'd like but we will be using 'China' for this example. In 'Proxy Notes' let's add in 'anonymous proxy' but you can leave it blank if you'd like. Next click 'Ok', then close FoxyProxy.

If you'd like to test it, right click on 'FoxyProxy:Disabled' and you should see 'Use proxy "China" for all URLs' so move up to it and click on it. Instead of saying :Disabled it should now be blue and read 'FoxyProxy:China'. Go back to: Ip lookup and see if your ip address has changed. If the page doesn't load, try a different ip and realize that you can juse 'edit Selection' instead of adding a new proxy.You might have to right click FoxyProxy again and choose 'Completely disable FoxyProxy' first. If it did work, congratulations, you are now being rerouted through a foreign proxy! On a side note, when visiting google you might see links and such in the language of whatever proxy you are using and pages may load slower. Not a big deal. There is more you can do with FoxyProxy but that should get you started. The rest is up to you.

*update: Don't skip playing around with FoxyProxy for experience, but
know that you can also use the Tor Browser Bundle:
https://www.torproject.org/projects/torbrowser.html.en

When someone designs a website they have intentions for the visitor to use things as they have set them up, but with various tools and some cleaver thinking, a visitor can think outside of the box and exploit vulnerabilities the web developer probably doesn't know exists. A user doesn't have to follow the path through the website that the web developer expects . This is partly where CSRF'ing comes in. CSRF stands for Cross Site Request Forgery and it is one of the wiki links posted at the top of this article. You will come across examples of this in some of the realistic missions. Just remember that you are not limited to what you are looking at, go behind the scenes and think outside of the box!

Hopefully some of these things will be useful to you as you begin your journey!

hey plz tell me what is the use of Tamperdata actually? dint understand what "bypass certain security measures" means..... and also how to check about the referrer thing? in brief, what is a referrer at all? plz find time to help me with this.

Thanks again for the nice reviews.
@thenewguypai: I posted a link in the article about referrers but here are a couple of quotes from wikipidia:
"When visiting a webpage, the referrer or referring page is the URL of the previous webpage from which a link was followed."

"By checking the referrer, the new page can see where the request came from. Referrer logging is used to allow websites and web servers to identify where people are visiting them from, for promotional or security purposes."

"Many web sites log referrers as part of their attempt to track their users."

"As referrer information can violate privacy, some browsers allow the user to disable the sending of referrer information."
So if you were at http://google.com and then went to http://hackthissite.org, a header is sent to hackthissite telling it that you just came from google.com

As far as tamperdata and bypassing some security measures I will give a quick example. Lets say you enter this basic XSS script in a search box:
<script>alert('XSS')</script>
You run tamperdata and catch that it is being sanitized:
%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E
If further security measures aren't in place you can change that back to it's original format and resubmit it. If you receive a pop up then your script is being run. This was found to be the case in the 'Title' box when submitting an article on HTS as well, but it has since been fixed. DO NOT TRY THIS ON HACKTHISSITE!!! It has been fixed and as staff, we do not want to see pending articles to test this.
I hope this helped.

I'm having trouble with firebug..When I try to edit the HTML in firebug I don't get a response. It wont let me change anything. I just used the edit HTML in the web developers toolbar to make changes. Am I doing something wrong?

hey defience, since you seem to be such a nice guy, answering stuff, guess i'm gonna bug u for quite some time now, if you dont mind... :)

about sanitizing the password and other info, now what if i change it back to the original state? wat use?

Also at the end of the article, you'v mentioned about going behind the scenes and all, plz try givin me more examples.

And i've recently been made part of a team for a project to build a website, which lets students in the place where i study view their progress on a monthly basis. - Hacking is something i always love and wanna learn, but guess what, i'm in the security team ;) .... - Can u jus tel me on wat areas i hav to concentrate? both for the website and the database server with respect to its security aspects.
I'm OK with a few of the programming and scripting languages.

I had success with TamperData. I reloaded the website and caught one of the strings that included a referrer field. I have no idea what the heck it was, but I successfully altered my referrer to http://www.google.com/ (found it in Live HTTP headers). :)

I am having problems with the site. I cannot access the forums or private messages... it wants me to agree to the EULA, then it wants to to choose language, time zone, and username... but the username field doesn't show up. I also never received a confirmation e-mail. :(

@ElectroPlasma- I'd suggest submitting a bug report so a developer can look the problems you're having within the site.

@thenewguypai-When I wrote:"Just remember that you are not limited to what you are looking at, go behind the scenes and think outside of the box!" I meant to not just look at the front of a web page but to 'go behind it' by checking the source code, search boxes, urls, sql, submit areas, post & get requests, headers, data, etc.